Neal Stephenson put it best in Snow Crash that “Until a man is twenty-five, he still thinks, every so often, that under the right circumstances he could be the baddest mother&^%#er in the world.” I think that deep down in every InfoSec professional’s heart, we want to be that mother&^%#er. We think, every so often, that we could go rogue, drop off the radar, and launch a one man war against the script kiddies, mafia types, and general ne’er-do-wells that inhabit the Internet. I think that’s why some of us are having a tough time reconciling th3j3st3r’s actions within their own moral code of being one of the “good guys”. I think everyone agrees that the sites being attacked are “bad” in the incredible sliding scale of morality. The question that comes up is: Does leveraging methods such as DoS attacks against “bad” sites result in a “bad” or “good” outcome?

I think that this question can be answered by one of Hollywood’s legendary bad mother&^%#ers, Harry Callahan. In the 2nd film of the “Dirty Harry” series, Magnum Force, the plot revolves around a group of cops that have “gone rogue” and are taking out criminals in San Francisco. Now, anyone who has watched the “Dirty Harry” series (You have, haven’t you? If not, go order it on NetFlix and watch it. Go Ahead. I’ll wait… Back? Good, huh?) know that Callahan is a cop who gladly tosses out the rulebook when it gets in his way of getting the bad guy. While trying to reconcile the rogue cops methods against his own playbook, there is an important quote by Callahan: “I hate the goddamned system, but until someone comes along with changes that make sense, I’ll stick with it.” This should be the mantra of every information security professional who deals with the scum of the Internet day in and day out. There is a system that we use, such as takedowns and working with ISPs to get bad material removed, and while it fails on a regular basis, it’s what we have to work with. I know how difficult it can be, as I have been on the front lines desperately trying to work with ISPs to take down a phish or a piece of malware from their servers and running into stone wall after stone wall. I’ve often wished for some kind of more effective system. While I don’t think anyone can debate the effectiveness of th3j35t3r’s tactics, I feel they cross a line that should not be crossed. While I feel that the removal of such sites is a good thing, the methods in which it is accomplished is not.

The question of morality aside, no one knows exactly “how” th3j35t3r is DoSing these sites, th3j35t3r says it’s “like a DDOS attack, except without the first ‘D’. There is nothing ‘distributed’ about this. It is possible with very low bandwidth and a single low-spec linux machine.” While judging from his description I have an idea of what his tool of choice may be, we likely won’t know due to the sites he’s choosing since they aren’t the ones who are likely going to run to the authorities. The ones that are talking are making their own assumptions and are mostly conjecture. So, it’s likely we won’t know any time soon exactly what he, or she, is doing. Does it affect other sites on the same network? Could it be disrupting critical services hosted on the same netblock? Are the attacks being pivoted across systems that did not give permission to be involved? Is there any collateral damage? Until we know exactly what’s going on, we can only guess.

There’s another quote from Magnum Force that I want to toss out here. The quote is “A man’s got to know his limitations” and I feel sums up the debate correctly. I think that, at least in my case, I know my limitations, and I think that DoSing sites, no matter how bad they may be, is beyond my limitations ethically.

UPDATE: Shouts to @Shpantzer for pointing out my ability to make “people operating outside normal or desirable controls” into “red or pink cosmetics for coloring the cheeks or lips” with a single typo.

Personal politics and concerns about whether this is .gov worthy or why we need this when we have presidentialtransition.gov aside, this is an important lesson on why QA is important before putting your website/code/whatever into a production environment. People have release early/release fast/release often mentality when dealing with code. This can be fine when you are dealing with a project that no one expects to be 100% on the first pass. But when you are dealing with a site that should be a somewhat of a flagship for your “brand” it helps not to have embarassing SNAFUs like this:

Also, this SCREAMS possible XSS security hole to me (Note, this isn’t my screenshot, I didn’t test this, nor do I condone or endorse probing .gov sites for security holes without permission)

All of this annoys me to no end as a security guy, as QA is when we usually get called in (at the last minute) to “make sure we’re secure.” More often then not, when I tell them, in fact, they are not secure, I get “Well, we can’t fix that right now! We’ll fix it later in production!” from the developers and they try to move forward until someone from management smacks them with a rolled up newspaper. I’m thinking that this a shining example of what happens when the developers go ahead without being smacked. Quality Assurance is a necessary step when moving forward in website. Yes it’s tedious, yes it’s annoying, but it will save you pain and embarassment if you do it correctly.

(Hat Tips to Michelle Malkin for originally pointing out the site and dual_parallel for doing some in-depth research)

The Iowa Democratic Party website was zippy, automatically updating, and from what I can tell, AJAXified.

The Iowa Republican Party website… Well… Not so much.

Apparently my fellow political junkies flooded the Iowa GOP website off the tubes. I’m seeing some more frazzled SysAdmin who thought “Hmmm! Two T1s and a server should be find for my flash heavy, graphically intensive website!” and then cowering when hundreds of thousands of users descended onto his or her server.

Meanwhile, the Iowa Democratic website had the foresight to realize how many people will be clamoring to get to the data. They put a streamlined results page on, and moved it to Amazon’s S3 service which saw our requests and laughed as we made hardly a dent in their bandwidth. I think someone reads Jeff Atwood.

The end result is that I was on the Iowa Democratic Website almost all night, and had to turn to other sources to get the GOP results. Way to go guys.